DOCSLIB.ORG

Cold Boot Attacks on Post-Quantum Schemes

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Cold Boot Attacks on Post-Quantum Schemes Cold Boot Attacks on Post-Quantum Schemes Ricardo Luis Villanueva Polanco Thesis submitted to the University of London for the degree of Doctor of Philosophy Information Security Group School of Mathematics and Information Security Royal Holloway, University of London 2018 Declaration These doctoral studies were conducted under the supervision of Professor Kenneth G. Pa- terson. The work presented in this thesis is the result of original research I conducted, in collabo- ration with others, whilst enrolled in the School of Mathematics and Information Security as a candidate for the degree of Doctor of Philosophy. This work has not been submitted for any other degree or award in any other university or educational establishment. Ricardo Luis Villanueva Polanco June 2018 2 Abstract Cryptographic models are intended to represent an adversary's capabilities when attacking encryption schemes. Models often err on the side of caution by over-estimating the power of adversaries. However, several recent attacks reported in the literature demonstrate that measuring an adversary's potential is a difficult task. This thesis will view the cryptographic landscape from the perspective of an adversary and the implementer. We study how an adversary can take advantage of leaked information about a private key. The particular scenario we study is the cold boot attack whereby an adversary can procure a noisy version of the key (i.e. the extracted data will contain errors) from a computer's main memory. Such an attack is not traditionally modelled by the standard security games. We show how the adversary might recover the original secret key, and hence compromise security, for some lattice-based schemes such as NTRU and BLISS, as well as the signature scheme Rainbow, which is based on multivariate polynomials over a finite field, and finally the McEliece crypto-system, which is a code-based asymmetric encryption scheme. We mount our attacks against specific real-world implementations of each of these schemes. For each scheme, we will study it and review at least one real-world implementation of the scheme. Moreover, for each implementation of a particular scheme, we will concern ourselves with acquiring knowledge of and evaluating each of the formats used to store the scheme's private key in memory, and then propose specific algorithms for key recovery in the cold boot attack setting. Our approach to key recovery is general and based on the combination of key enumeration algorithms and other techniques. Basically, an original secret key is seen as a concatenation of multiple chunks, each of which has a fixed number of bits and takes multiple values. These chunks then are combined to produce candidates for the secret key. These key enumeration algorithms have been already used in other side-channel scenarios with a variety of different approaches being used to solving the problem. 3 Contents 1 Introduction 13 1.1 Motivation . 13 1.2 Thesis Structure . 15 1.3 Associated Publications . 16 2 Background 17 2.1 Side Channel Attacks . 17 2.2 Cold Boot Attacks . 18 2.2.1 RSA Setting . 21 2.2.2 Discrete Logarithm Setting . 22 2.2.3 Symmetric Key Setting . 22 2.2.4 Learning with Errors Setting . 22 2.3 Cold boot Attack Model . 23 2.4 Log Likelihood Statistic for Key Candidates . 24 2.5 Combining Chunks to Build Key Candidates . 24 3 Key Enumeration Algorithms 26 3.1 Introduction . 26 3.1.1 Some Definitions . 26 3.1.2 Problem Statement . 27 3.2 Key Enumeration Algorithms . 29 3.2.1 An Optimal Key Enumeration Algorithm . 29 3.2.1.1 Setup . 29 3.2.1.2 Basic Algorithm . 30 3.2.1.3 Complete Algorithm . 31 3.2.1.4 Memory Consumption . 34 3.2.2 A Bounded-Space Near-Optimal Key Enumeration Algorithm . 36 3.2.2.1 Basic Algorithm . 36 4 CONTENTS 3.2.2.2 Complete Algorithm . 38 3.2.2.3 Parallelisation . 40 3.2.2.4 Variant . 42 3.2.3 A Simple Stack-Based, Depth-First Key Enumeration Algorithm . 42 3.2.3.1 Setup . 43 3.2.3.2 Complete Algorithm . 44 3.2.3.3 Speeding up the Pruning Process . 44 3.2.3.4 Memory Consumption . 45 3.2.3.5 Parallelisation . 46 3.2.3.6 Threshold Algorithm . 47 3.2.4 A Score-Based Key Enumeration Algorithm . 48 3.2.4.1 Complete Algorithm . 50 3.2.4.2 Parallelisation . 52 3.2.4.3 Running Times . 53 3.2.4.4 Memory Consumption . 54 3.2.5 A Key Enumeration Algorithm using Histograms . 56 3.2.5.1 Setup . 56 3.2.5.2 Complete Algorithm . 57 3.2.5.3 Parallelisation . 59 3.2.5.4 Memory Consumption . 60 3.2.5.5 Equivalence with the path counting approach . 61 3.2.6 A Quantum Key Search Algorithm . 62 3.3 Comparison of Key Enumeration Algorithms . 66 3.3.1 Implementation . 66 3.3.2 Scenario . 66 3.3.3 Results per algorithms . 67 3.3.4 Discussion . 71 3.4 Chapter Conclusions . 72 4 Cold Boot Attack on NTRU 74 4.1 Introduction . 74 4.2 NTRU Encryption Scheme . 76 4.2.1 NTRU Public Key Encryption Scheme . 77 4.2.2 The NTRU Key Recovery Problem . 78 4.3 Private Key Formats for NTRU Implementations . 78 5 CONTENTS 4.3.1 The tbuktu/Bouncy Castle Java Implementation. 79 4.3.2 Reference Parameters for tbuktu .................... 80 4.3.3 The ntru-crypto Java Implementation . 80 4.3.4 The ntru-crypto C Implementation . 80 4.3.5 Reference Parameters for ntru-crypto ................ 81 4.4 Mounting Cold Boot Key Recovery Attacks . 82 4.4.1 Key Recovery Strategy . 82 4.4.2 The ntru-crypto Java Implementation . 83 4.4.3 The ntru-crypto C Implementation . 84 4.4.4 The tbuktu Java Implementation . 86 4.5 Experimental Evaluation . 87 4.5.1 Implementation . 87 4.5.2 Parallelisation . 88 4.5.3 Search Intervals . 88 4.5.4 Simulations . 89 4.5.5 Results for the ntru-crypto Java Implementation . 89 4.5.6 Results for the tbuktu Java Implementation . 90 4.5.6.1 Counting Candidates and Estimating Running Times . 90 4.5.6.2 Parameters . 91 4.5.6.3 Results { Complete Enumeration . 91 4.5.6.4 Results { Partial Enumeration . 93 4.5.6.5 Running times . 94 4.6 Chapter Conclusions . 94 5 Cold Boot Attacks on BLISS 95 5.1 Introduction . 95 5.2 Preliminaries . 97 5.2.1 Notation . 97 5.2.2 Lattices and Bases . 97 5.2.2.1 Shortest Vector Problem (SVP) . 98 5.2.2.2 Bounded Distance Decoding (BDD) . 98 5.2.2.3 Babai's Nearest Plane Algorithm . 99 5.3 BLISS Signature Scheme . 99 5.3.1 The BLISS Key Generation Algorithm . 99 5.4 The strongSwan Project . 100 6 CONTENTS 5.4.1 The strongSwan BLISS Implementation . 100 5.5 Mounting Cold Boot Key Recovery Attacks . 102 5.5.1 Initial Observations . 102 5.5.2 Key Recovery Via Key Enumeration . 103 0 5.5.2.1 Constructing Lf from s1 ................... 103 0 5.5.2.2 Constructing Lh from s2 ................... 104 5.5.2.3 Combining Lf and Lh ..................... 106 5.5.2.4 Enumerating Only Candidates for f ............. 107 5.5.3 Casting the Problem as an LWE Instance . 109 5.5.3.1 Meet-in-the-Middle Attacks . 111 5.5.3.2 Parallel Collision Search . 113 5.5.3.3 Hybrid attack on LWE . 115 5.5.3.4 Combining Lattice Techniques and Key Enumeration . 116 5.6 Experimental Evaluation . 118 5.6.1 Simulations . 118 5.6.2 Key Recovery Via Key Enumeration . 119 5.6.2.1 Parameters . 119 5.6.2.2 Setup . 119 5.6.2.3 Key Enumeration Algorithm for Phase II ......... 119 5.6.2.4 Results . 121 5.7 Chapter Conclusions . 124 6 Cold Boot Attacks on Rainbow 126 6.1 Introduction . 126 6.2 Multivariable Cryptosystems . 128 6.2.1 The Oil and Vinegar Signature Scheme . 129 6.2.2 Rainbow, a Signature Scheme . 131 6.3 Rainbow Implementations . 134 6.3.1 The Reference Implementation . 134 6.3.2 The.
Load more

Recommended publications
  • Lectures on the NTRU Encryption Algorithm and Digital Signature Scheme: Grenoble, June 2002
    Lectures on the NTRU encryption algorithm and digital signature scheme: Grenoble, June 2002 J. Pipher Brown University, Providence RI 02912 1 Lecture 1 1.1 Integer lattices Lattices have been studied by cryptographers for quite some time, in both the field of cryptanalysis (see for example [16{18]) and as a source of hard problems on which to build encryption schemes (see [1, 8, 9]). In this lecture, we describe the NTRU encryption algorithm, and the lattice problems on which this is based. We begin with some definitions and a brief overview of lattices. If a ; a ; :::; a are n independent vectors in Rm, n m, then the 1 2 n ≤ integer lattice with these vectors as basis is the set = n x a : x L f 1 i i i 2 Z . A lattice is often represented as matrix A whose rows are the basis g P vectors a1; :::; an. The elements of the lattice are simply the vectors of the form vT A, which denotes the usual matrix multiplication. We will specialize for now to the situation when the rank of the lattice and the dimension are the same (n = m). The determinant of a lattice det( ) is the volume of the fundamen- L tal parallelepiped spanned by the basis vectors. By the Gram-Schmidt process, one can obtain a basis for the vector space generated by , and L the det( ) will just be the product of these orthogonal vectors. Note that L these vectors are not a basis for as a lattice, since will not usually L L possess an orthogonal basis.
    [Show full text]
  • Revention of Coldboot Attack on Linux Systems Measures to Prevent Coldboot Attack
    Special Issue - 2017 International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 ICIATE - 2017 Conference Proceedings Prevention of Coldboot Attack on Linux Systems Measures to Prevent Coldboot Attack Siddhesh Patil Ekta Patel Nutan Dhange Information Technology, Atharva Information Technology, Atharva Assistant Professor College of Engineering College of Engineering Information Technology, Atharva Mumbai University Mumbai University College of Engineering Mumbai, India Mumbai, India Mumbai University Mumbai, India Abstract— Contrary to the popular belief, DDR type RAM boot attack techniques. We implement measures to ensure that data modules retain stored memory even after power is cut off. stays secure on system shutdown. Data security is critical for most Provided physical access to the cryptosystem, a hacker or a of the business and even home computer users. RAM is used to store forensic specialist can retrieve information stored in the RAM non-persistent information into it. When an application is in use, by installing it on another system and booting from a USB drive user-specific or application-specific data may be stored in RAM. to take a RAM dump. With adequate disassembly and analytic This data can be sensitive information like client information, tools, this information stored in the RAM dump can be payment details, personal files, bank account details, etc. All this deciphered. Hackers thrive on such special-case attack information, if fallen into wrong hands, can be potentially techniques to gain access to systems with sensitive information. dangerous. The goal of most unethical hackers / attackers is to An unencrypted RAM module will contain the decryption key disrupt the services and to steal information.
    [Show full text]
  • NTRU Cryptosystem: Recent Developments and Emerging Mathematical Problems in Finite Polynomial Rings
    XXXX, 1–33 © De Gruyter YYYY NTRU Cryptosystem: Recent Developments and Emerging Mathematical Problems in Finite Polynomial Rings Ron Steinfeld Abstract. The NTRU public-key cryptosystem, proposed in 1996 by Hoffstein, Pipher and Silverman, is a fast and practical alternative to classical schemes based on factorization or discrete logarithms. In contrast to the latter schemes, it offers quasi-optimal asymptotic effi- ciency and conjectured security against quantum computing attacks. The scheme is defined over finite polynomial rings, and its security analysis involves the study of natural statistical and computational problems defined over these rings. We survey several recent developments in both the security analysis and in the applica- tions of NTRU and its variants, within the broader field of lattice-based cryptography. These developments include a provable relation between the security of NTRU and the computa- tional hardness of worst-case instances of certain lattice problems, and the construction of fully homomorphic and multilinear cryptographic algorithms. In the process, we identify the underlying statistical and computational problems in finite rings. Keywords. NTRU Cryptosystem, lattice-based cryptography, fully homomorphic encryption, multilinear maps. AMS classification. 68Q17, 68Q87, 68Q12, 11T55, 11T71, 11T22. 1 Introduction The NTRU public-key cryptosystem has attracted much attention by the cryptographic community since its introduction in 1996 by Hoffstein, Pipher and Silverman [32, 33]. Unlike more classical public-key cryptosystems based on the hardness of integer factorisation or the discrete logarithm over finite fields and elliptic curves, NTRU is based on the hardness of finding ‘small’ solutions to systems of linear equations over polynomial rings, and as a consequence is closely related to geometric problems on certain classes of high-dimensional Euclidean lattices.
    [Show full text]
  • CIS 4360 Secure Computer Systems Attacks Against Boot And
    CIS 4360 Secure Computer Systems Attacks against Boot and RAM Professor Qiang Zeng Spring 2017 Previous Class • BIOS-MBR: Generation I system boot – What BIOS and MBR are? – How does it boot the system? // Jumping to MBR – How does multi-boot work? // Chain-loading • The limitations of BIOS and MBR – Disk, memory, file system, multi-booting, security, … • UEFI-GPT: Generation II system boot – What UEFI and GPT are? – How does it boot the system? // UEFI boot manager – How does multi-boot work? // separate dirs in ESP CIS 4360 – Secure Computer Systems 2 Limitations of BIOS-MBR • MBR is very limited – Support ~2TB disk only – 4 primary partitions at most (so four OSes at most) – A MBR can store only one boot loader • BIOS is very restrictive – 16-bit processor mode; 1MB memory space (little spare space to accommodate a file system driver) – Blindly executes whatever code on MBR CIS 4360 – Secure Computer Systems 3 UEFI vs. BIOS • Disk partitioning schemes – GPT (GUID Partition Table): part of UEFI spec.; to replace MBR – MBR supports disk size 232 x 512B = 2TB, while UEFI supports much larger disks (264 x 512B = 8,000,000,000 TB) – MBR supports 4 partitions, while GPT supports 128 • Memory space – BIOS: 20-bit addressing; UEFI: 32-bit or 64-bit • Pre-OS environment – BIOS only provides raw disk access, while UEFI supports the FAT file system (so you can use file names to read files) • Booting – BIOS supports boot through boot sectors (MBR and VBR) – UEFI provides a boot partition of hundreds of megabytes (and boot manager and secure boot) CIS 4360 – Secure Computer Systems 4 Previous Class How does dual-boo-ng of Linux and Windows work in UEFI-GPT? Each vendor has a separate directory storing its own boot loader code and configuraon files in the ESP (EFI System Par--on).
    [Show full text]
  • Performance Evaluation of RSA and NTRU Over GPU with Maxwell and Pascal Architecture
    Performance Evaluation of RSA and NTRU over GPU with Maxwell and Pascal Architecture Xian-Fu Wong1, Bok-Min Goi1, Wai-Kong Lee2, and Raphael C.-W. Phan3 1Lee Kong Chian Faculty of and Engineering and Science, Universiti Tunku Abdul Rahman, Sungai Long, Malaysia 2Faculty of Information and Communication Technology, Universiti Tunku Abdul Rahman, Kampar, Malaysia 3Faculty of Engineering, Multimedia University, Cyberjaya, Malaysia E-mail: [email protected]; {goibm; wklee}@utar.edu.my; [email protected] Received 2 September 2017; Accepted 22 October 2017; Publication 20 November 2017 Abstract Public key cryptography important in protecting the key exchange between two parties for secure mobile and wireless communication. RSA is one of the most widely used public key cryptographic algorithms, but the Modular exponentiation involved in RSA is very time-consuming when the bit-size is large, usually in the range of 1024-bit to 4096-bit. The speed performance of RSA comes to concerns when thousands or millions of authentication requests are needed to handle by the server at a time, through a massive number of connected mobile and wireless devices. On the other hand, NTRU is another public key cryptographic algorithm that becomes popular recently due to the ability to resist attack from quantum computer. In this paper, we exploit the massively parallel architecture in GPU to perform RSA and NTRU computations. Various optimization techniques were proposed in this paper to achieve higher throughput in RSA and NTRU computation in two GPU platforms. To allow a fair comparison with existing RSA implementation techniques, we proposed to evaluate the speed performance in the best case Journal of Software Networking, 201–220.
    [Show full text]
  • Low-Cost Mitigation Against Cold Boot Attacks for an Authentication Token
    Low-cost Mitigation against Cold Boot Attacks for an Authentication Token Ian Goldberg?1, Graeme Jenkinson2, and Frank Stajano2 1 University of Waterloo (Canada) 2 University of Cambridge (United Kingdom) Abstract. Hardware tokens for user authentication need a secure and usable mechanism to lock them when not in use. The Pico academic project proposes an authentication token unlocked by the proximity of simpler wearable devices that provide shares of the token’s master key. This method, however, is vulnera- ble to a cold boot attack: an adversary who captures a running Pico could extract the master key from its RAM and steal all of the user’s credentials. We present a cryptographic countermeasure—bivariate secret sharing—that protects all the credentials except the one in use at that time, even if the token is captured while it is on. Remarkably, our key storage costs for the wearables that supply the cryp- tographic shares are very modest (256 bits) and remain constant even if the token holds thousands of credentials. Although bivariate secret sharing has been used before in slightly different ways, our scheme is leaner and more efficient and achieves a new property—cold boot protection. We validated the efficacy of our design by implementing it on a commercial Bluetooth Low Energy development board and measuring its latency and energy consumption. For reasonable choices of latency and security parameters, a standard CR2032 button-cell battery can power our prototype for 5–7 months, and we demonstrate a simple enhancement that could make the same battery last for over 9 months.
    [Show full text]
  • Qchain: Quantum-Resistant and Decentralized PKI Using Blockchain
    SCIS 2018 2018 Symposium on Cryptography and Information Security Niigata, Japan, Jan. 23 - 26, 2018 The Institute of Electronics, Copyright c 2018 The Institute of Electronics, Information and Communication Engineers Information and Communication Engineers QChain: Quantum-resistant and Decentralized PKI using Blockchain Hyeongcheol An ∗ Kwangjo Kim ∗ Abstract: Blockchain was developed under public domain and distributed database using the P2P connection. Therefore, blockchain does not have any central administrator or Certificate Au- thority(CA). However, Public Key Infrastructure(PKI) must have CA which issues and signs the digital certificates. PKI CA must be fully trusted by all parties in a domain. Also, current public key cryptosystem can be broken using quantum computing attacks. The post-quantum cryptography (PQC) must be secure against the quantum adversary. We combine blockchain technique with one of post-quantum cryptography lattice-based cryptosystems. In this paper, we suggest QChain which is quantum-resistant decentralized PKI system using blockchain. We propose modified lattice-based GLP signature scheme. QChain uses modified GLP signature which uses Number Theoretic Transformation (NTT). We compare currently used X.509 v3 PKI and QChain certificate. Keywords: blockchain, post-quantum cryptography, lattice, decentralized PKI 1 Introduction ficulty of Discrete Logarithm Problem (DLP) and In- teger Factorization Problem (IFP). However, DLP and 1.1 Motivation IFP can be solved within the polynomial time by Shor's Public-key cryptosystem needs Public Key Infras- algorithm[3] using the quantum computer. Therefore, tructure (PKI) which is to guarantee the integrity of we need secure public key cryptosystem against the for all user's public key. Currently used PKI system quantum adversary.
    [Show full text]
  • On the Security of Lattice-Based Cryptography Against Lattice Reduction and Hybrid Attacks
    On the Security of Lattice-Based Cryptography Against Lattice Reduction and Hybrid Attacks Vom Fachbereich Informatik der Technischen Universit¨atDarmstadt genehmigte Dissertation zur Erlangung des Grades Doktor rerum naturalium (Dr. rer. nat.) von Dipl.-Ing. Thomas Wunderer geboren in Augsburg. Referenten: Prof. Dr. Johannes Buchmann Dr. Martin Albrecht Tag der Einreichung: 08. 08. 2018 Tag der m¨undlichen Pr¨ufung: 20. 09. 2018 Hochschulkennziffer: D 17 Wunderer, Thomas: On the Security of Lattice-Based Cryptography Against Lattice Reduction and Hybrid Attacks Darmstadt, Technische Universit¨atDarmstadt Jahr der Ver¨offentlichung der Dissertation auf TUprints: 2018 Tag der m¨undlichen Pr¨ufung:20.09.2018 Ver¨offentlicht unter CC BY-SA 4.0 International https://creativecommons.org/licenses/ Abstract Over the past decade, lattice-based cryptography has emerged as one of the most promising candidates for post-quantum public-key cryptography. For most current lattice-based schemes, one can recover the secret key by solving a corresponding instance of the unique Shortest Vector Problem (uSVP), the problem of finding a shortest non-zero vector in a lattice which is unusually short. This work is concerned with the concrete hardness of the uSVP. In particular, we study the uSVP in general as well as instances of the problem with particularly small or sparse short vectors, which are used in cryptographic constructions to increase their efficiency. We study solving the uSVP in general via lattice reduction, more precisely, the Block-wise Korkine-Zolotarev (BKZ) algorithm. In order to solve an instance of the uSVP via BKZ, the applied block size, which specifies the BKZ algorithm, needs to be sufficiently large.
    [Show full text]
  • Making NTRU As Secure As Worst-Case Problems Over Ideal Lattices
    Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé1 and Ron Steinfeld2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d’Italie, 69364 Lyon Cedex 07, France. [email protected] – http://perso.ens-lyon.fr/damien.stehle 2 Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University, NSW 2109, Australia [email protected] – http://web.science.mq.edu.au/~rons Abstract. NTRUEncrypt, proposed in 1996 by Hoffstein, Pipher and Sil- verman, is the fastest known lattice-based encryption scheme. Its mod- erate key-sizes, excellent asymptotic performance and conjectured resis- tance to quantum computers could make it a desirable alternative to fac- torisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields. Our main contribution is to show that if the se- cret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem. Keywords. Lattice-based cryptography, NTRU, provable security. 1 Introduction NTRUEncrypt, devised by Hoffstein, Pipher and Silverman, was first presented at the Crypto’96 rump session [14]. Although its description relies on arithmetic n over the polynomial ring Zq[x]=(x − 1) for n prime and q a small integer, it was quickly observed that breaking it could be expressed as a problem over Euclidean lattices [6].
    [Show full text]
  • Eindhoven University of Technology MASTER Towards Post-Quantum
    Eindhoven University of Technology MASTER Towards post-quantum bitcoin side-channel analysis of bimodal lattice signatures Groot Bruinderink, L. Award date: 2016 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student at Eindhoven University of Technology. Student theses are made available in the TU/e repository upon obtaining the required degree. The grade received is not published on the document as presented in the repository. The required complexity or quality of research of student theses may vary by program, and the required minimum study period may vary in duration. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain Towards Post-Quantum Bitcoin Side-Channel Analysis of Bimodal Lattice Signatures Leon Groot Bruinderink Email: [email protected] Student-ID: 0682427 A thesis submitted in partial fulfillment of the requirements for the degree of Master of Science in Industrial and Applied Mathematics Supervisors: prof.dr. Tanja Lange (TU/e) dr. Andreas H¨ulsing(TU/e) dr. Lodewijk Bonebakker (ING) January 2016 Acknowledgements This thesis is the result of many months of work, both at my internship company ING and university TU/e.
    [Show full text]
  • Masking the GLP Lattice-Based Signature Scheme at Any Order
    Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe1, Sonia Bela¨ıd2, omas Espitau3, Pierre-Alain Fouque4, Benjamin Gregoire´ 5, Melissa´ Rossi6;7, and Mehdi Tibouchi8 1 IMDEA Soware Institute [email protected] 2 CryptoExperts [email protected] 3 Sorbonne Universite,´ Laboratoire d’informatique de Paris VI [email protected] 4 Universite´ de Rennes [email protected] 5 Inria Sophia Antipolis [email protected] 6 ales 7 Ecole´ Normale Superieure´ de Paris, Departement´ d’informatique, CNRS, PSL Research University, INRIA [email protected] 8 NTT Secure Platform Laboratories [email protected] Abstract. Recently, numerous physical aacks have been demonstrated against laice- based schemes, oen exploiting their unique properties such as the reliance on Gaussian distributions, rejection sampling and FFT-based polynomial multiplication. As the call for concrete implementations and deployment of postquantum cryptography becomes more pressing, protecting against those aacks is an important problem. However, few counter- measures have been proposed so far. In particular, masking has been applied to the decryp- tion procedure of some laice-based encryption schemes, but the much more dicult case of signatures (which are highly non-linear and typically involve randomness) has not been considered until now. In this paper, we describe the rst masked implementation of a laice-based signature scheme. Since masking Gaussian sampling and other procedures involving contrived prob- ability distribution would be prohibitively inecient, we focus on the GLP scheme of Guneysu,¨ Lyubashevsky and Poppelmann¨ (CHES 2012). We show how to provably mask it in the Ishai–Sahai–Wagner model (CRYPTO 2003) at any order in a relatively ecient man- ner, using extensions of the techniques of Coron et al.
    [Show full text]
  • Optimizing NTRU Using AVX2
    Master Thesis Computing Science Cyber Security Specialisation Radboud University Optimizing NTRU using AVX2 Author: First supervisor/assessor: Oussama Danba dr. Peter Schwabe Second assessor: dr. Lejla Batina July, 2019 Abstract The existence of Shor's algorithm, Grover's algorithm, and others that rely on the computational possibilities of quantum computers raise problems for some computational problems modern cryptography relies on. These algo- rithms do not yet have practical implications but it is believed that they will in the near future. In response to this, NIST is attempting to standardize post-quantum cryptography algorithms. In this thesis we will look at the NTRU submission in detail and optimize it for performance using AVX2. This implementation takes about 29 microseconds to generate a keypair, about 7.4 microseconds for key encapsulation, and about 6.8 microseconds for key decapsulation. These results are achieved on a reasonably recent notebook processor showing that NTRU is fast and feasible in practice. Contents 1 Introduction3 2 Cryptographic background and related work5 2.1 Symmetric-key cryptography..................5 2.2 Public-key cryptography.....................6 2.2.1 Digital signatures.....................7 2.2.2 Key encapsulation mechanisms.............8 2.3 One-way functions........................9 2.3.1 Cryptographic hash functions..............9 2.4 Proving security......................... 10 2.5 Post-quantum cryptography................... 12 2.6 Lattice-based cryptography................... 15 2.7 Side-channel resistance...................... 16 2.8 Related work........................... 17 3 Overview of NTRU 19 3.1 Important NTRU operations................... 20 3.1.1 Sampling......................... 20 3.1.2 Polynomial addition................... 22 3.1.3 Polynomial reduction.................. 22 3.1.4 Polynomial multiplication...............
    [Show full text]